Cross-Origin Requests (CORS) in ASP.NET Core Web API

-
Cross-Origin Requests (CORS) in ASP.NET Core Web API

This blog is going to explain what a Cross Origin Request (CORS) is and how to implement it in ASP.NET Core web API. When a web page tries to access resources from a different webpage it is blocked by the browser security feature. This feature is called the Same Origin Policy (SOP). In many cases the developer has to access resources of different origins. In such cases CORS helps to relax the Same Origin Policy.

There are 3 ways to enable CORS in ASP.NET core.

  1. Middleware (name policy or default policy)
  2. Endpoint routing
  3. [EnableCORS] attribute

Let’s see that with the example.

Imagine you have an API which returns some JSON values. It’s URL is https://localhost:44351/api/Home. When trying to access another domain URL(https: // localhost: 44389 /) from the client page, it will give you the following error message.

Access to XMLHttpRequest at 'https://localhost:44351/api/Home' from origin 'https://localhost:44389' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

CORS ERROR

It happens because of the Same Origin Policy(SOP). To relax this same origin policy, you have to enable the Cross-Origin Requests (CORS) in the API. Let’s look at it one by one

Middleware

Default policy

To enable the CORS default policy, first you have to add the AddCors extension in the Startup.cs ConfigureServices() method in your API.

In the below code you can see that AddCors() is added to the service. And in the option, the default policy has been added. In the builder "https://localhost:44389" the URL has been whitelisted. 

public void ConfigureServices(IServiceCollection services)
{
    services.AddControllers();

    services.AddCors(
        options => options.AddDefaultPolicy(
                builder => builder.WithOrigins("https://localhost:44389")
                .AllowAnyMethod()
                .AllowAnyHeader()
        ));
}

Next you need to add app.UseCors() middleware to the Configure() method. You must add CORS middleware before the UseRouting() middleware and after the UseAuthorization() middleware. 

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    ...
    ...
    ...

    app.UseRouting();

    app.UseCors();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

Preflight

For some CORS requests, the browser first sends the preflight request to the API. The preflight request will contain the metadata of the original request. So the API server checks the metadata and responds to the priority request, declaring whether or not it can send a response to the original request.

The following is a original request header

Original Header Request 
authority: localhost:44351
:method: GET
:path: /api/Home?_=1626359605790
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
content-type: application/json; charset=utf-8
origin: https://localhost:44389
referer: https://localhost:44389/
sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
sec-ch-ua-mobile: ?0
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36

Original Response
In the response you can see the access-control-allow-origin: https://localhost:44389. This means the URL is whitelisted. 

access-control-allow-origin: https://localhost:44389
content-length: 19
content-type: application/json; charset=utf-8
date: Thu, 15 Jul 2021 14:36:13 GMT
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET

Named Policy

Another method of enabling CORS via middleware is the named policy. In the below code you can see that the name ‘SamplePolicy’ has been added to the AddPolicy() method and added the "https://localhost:44389" URL to the WithOrigins() method. 
public void ConfigureServices(IServiceCollection services)
{
    services.AddControllers();

    services.AddCors(
        options => options.AddPolicy("SamplePolicy",
        builder => builder.WithOrigins("https://localhost:44389")
        .AllowAnyHeader()
        .AllowAnyMethod())
        );
}

In the configure method, you have to pass the policy name "SamplePolicy" as a parameter in the app.UseCors() middleware. So it will enable the CORS. 

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
   ...
   ...
   ...

    app.UseRouting();

    app.UseCors("SamplePolicy");

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

Endpoint Routing

With endpoint routing you can enable the CORS to different endpoints using the RequireCors() extension. 

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
   ...
   ...
   ...

    app.UseRouting();

    app.UseCors();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
          endpoints.MapControllers().RequireCors("SamplePolicy");
    });
}

Enable CORS with attributes

The following is an example of how to enable CORS using the EnableCors attribute. Here the attribute is added at the Controller level. It therefore enables CORS for all methods within the system. 

[EnableCors("SamplePolicy")]
[Route("api/[controller]")]
[ApiController]
public class HomeController : Controller
{
    [HttpGet]
    public List<string> Get()
    {
        return new() { "value1", "value2"};
    }
}

Also, you can enable CORS at the method level also. So, You can add different CORS policies for each method. 

[Route("api/[controller]")]
[ApiController]
public class HomeController : Controller
{
   [EnableCors("SamplePolicy1")]
    [HttpGet]
    public List<string> Get()
    {
        return new() { "value1", "value2"};
    }

    [EnableCors("SamplePolicy2")]
    [HttpGet]
    public List<string> GetValue()
    {
        return new() { "value3", "value4"};
    }
}

I hope this helps you. Keep coding.

Comments

Post a Comment

Popular posts from this blog

Entity Framework Core (EF) with SQL Server LocalDB

-
Image
This blog is going to illustrate how to implement Entity Framework (EF) Core with SQL Server LocalDB. The Entity Framework Core enables access to data from the database. This allows developers to avoid having to write most of the data access code. And the SQL Server LocalDB works similarly to the SQL SERVER with few features. You can get the LocalDB when you install visual studio or visual studio express. You can find the .mdf and _log.ldf files in the C:/Users/{user} directory. Let see how to create a SQL Server LocalDB and implement Entity Framework Core Step 1: The first step is to add a connection. In the menu -> click Tools and select Connect to Database It will display the Add Connection window. Enter (localdb)\mssqllocaldb in the server name textbox. Then in the Select or enter a database, select master and click ok Now in the server explorer, you can find the master DB containing Tables, Views, Stored
Read more

SignalR with JavaScript in ASP.NET Core MVC

-
Image
This blog is going to explain what is SignalR and how to implement it in ASP.NET Core. SignalR is a real time application framework for ASP.NET Core. Using SignalR you can provide updated information without refreshing the page, for example poll results, game score, chat etc. Let's see how to achieve it in ASP.NET Core MVC. Step 1: First step I added the SignalR client library. To add a SignalR client library, Right click on the project in Solution Explorer and Add -> Client-Side Library. Select the provider as unpkg as shown in the image below. Enter the latest version of SignalR into the library. And selected signalr.js and signalr.min.js files. Finally clicked the install button to install the client library. Step 2: At this step I have created a VoteHub.cs class inside the Hubs folder(create a new folder called Hubs). This class inherits from the Hub class which is a base class of SignalR hub. The SendMessage method will be called by the connected client.
Read more

Localization in ASP.NET Core MVC with Example

-
Image
Using Query Strings for Request Culture and Simplifying Localization with IStringLocalizer Interface Let’s see how to implement Localization in ASP.NET Core MVC. In the first example, I am going to use the IStringLocalizer Interface in the controller to implement Localization. Additionally, when the user passes the desired language through the query string, it will display content in that language. First, let’s configure the settings in the program.cs file. builder.Services.AddLocalization(options => options.ResourcesPath = "Resources");  The AddLocalization method adds the localization service to the service container. I have added the supported cultures here. I have added two cultures: en for English and nl for Dutch. In the RequestCultureProviders , I have included QueryStringRequestCultureProvider() . This allows the system to determine the culture information from the query string. UseRequestLocalization initializes a RequestLocalizationOptions objec
Read more